Five Questions About the Latest WikiLeaks Release

Revelations by WikiLeaks raise concerns about the extent to which the C.I.A. can peek in on domestic and foreign targets, and how much private companies have compromised their customers.PHOTOGRAPH BY CHRISTOPHER MORRIS / VII / REDUX

On Tuesday morning, WikiLeaks released eight thousand seven hundred and sixty-one files that it said were “from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence,” in Langley, Virginia. The group called the collection “Year Zero,” the first installment of a larger project, Vault 7, which reveals the “hacking capacity” of the C.I.A.—and which is, in turn, part of a larger archive that, it claimed, had “been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.” In other words, WikiLeaks has the files because the C.I.A. had “lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation.” (WikiLeaks seems to have redacted some of the sensitive code.) The C.I.A. has had no comment, but multiple news organizations have reported that, at first glance, according to their intelligence sources, the material looks as if it did come from the agency. (After the release, Edward Snowden, the former National Security Agency contractor who leaked a cache of documents in 2013, tweeted, “Still working through the publication, but what ‪@Wikileaks has here is genuinely a big deal. Looks authentic.”) The dates on some of the files are as recent as 2016. The size and the currency of the apparent breach raises a number of questions. Here are five to start with.

1. How many ways might the C.I.A. be watching? The files discuss the use of basic consumer products for surveillance. One of the more striking details involves your Samsung SmartTV listening in on you, perhaps in collaboration with the camera or the microphone in your iPhone—even when the television is turned off. A television could also potentially yield information about what news programs or non-English-language programs people watch—possible indicators of their political leanings, religious beliefs, or associations. These are not new scenarios for privacy advocates; some of the lawyers and journalists working on these matters put their phones in the refrigerator when having a sensitive conversation. But the files suggest that the C.I.A. has gone from the concept stage to the actual building of a box of tools that can be used to break into consumer electronics. (The tool for taking over a Samsung SmartTV is called the Weeping Angel, which raises another question: how much time do C.I.A. contractors spend watching “Doctor Who”?) It also looks as if the C.I.A. may have a way to get around the encryption features of messaging systems. And there is talk of “Potential Mission Areas,” such as the control systems of cars. (It is not clear, from the files, how much of all this has been put into effect, or whether it works in practice.)

2. How much have private companies compromised themselves and their customers? Based on the files, some service providers and equipment manufacturers seem to know a certain amount about what is going on. Will they have to answer for that to the markets and to consumers? What position might this put companies in vis-à-vis other jurisdictions in which they do business? Could the government of China ask Samsung why it hasn’t given it what the company has delivered, intentionally or not, to America? (Maybe it already has.) And what does all this say about the role of the government in defending America’s infrastructure? The files indicate that the U.S. government knows about—and is happy to make use of, and leave uncorrected—vulnerabilities that could also allow bad actors a way into American homes, or, for that matter, American intelligence agencies. On that point:

3. Are Americans the targets? This is going to be a key issue, both politically and legally. If the C.I.A. is developing these tools, and perhaps promulgating them to other intelligence agencies, is it also taking part in domestic spying? How is the line between domestic and foreign defined these days? The Guardian notes that one of the files related to the Samsung sets contains a reference to a “joint workshop with MI5/BTSS (British Security Service),” and that others refer to hackers working out of American diplomatic facilities in Germany. There has been a persistent concern that, in order to get around various statutory and constitutional restrictions on domestic spying, the intelligence agencies have outsourced the actual surveillance to foreign allies, and then shared the intelligence gained with them. (This is an American-centered way of posing the basic concern that people in other countries will have about how these tools might be used against them.) The files will at least pose the question of whether the C.I.A. is following the rules—and whether the rules might need changing. In other words,

4. What will the courts make of this? This is not only an American concern; courts in Europe may have something to say, too, given the strict privacy laws in many countries. Still, let’s start with American courts. An awful lot of the jurisprudence in the area of wiretapping is based on court cases that date back to the nineteen-seventies and imagine police officers having to get telephone-company technicians to open a box full of wires. Maybe the television-set-as-home-invader scenario will help push judges to take a fresh, hard look at that body of law. This would be something to ask Neil Gorsuch about at his Supreme Court confirmation hearings, later this month. And that brings us to the man who, at the moment, is at the head of the executive branch.

5. What about Donald Trump? Last week, he was complaining that President Obama, or someone, had tapped or bugged or otherwise failed to observe the sanctity of Trump Tower. Does Trump have any Samsung SmartTVs? As my colleague Steve Coll writes, there is a scenario in which Trump might be given pause about surveillance methods that might be directed at him and his associates. Or he might just rail against traitors in public and then ask, behind closed doors, when he gets to use these tools and toys himself. When the news of the revelations broke, some commentators asked if having promoted WikiLeaks’ Hillary Clinton-related revelations at his campaign rallies put Trump in an awkward position. But hypocrisy does not appear to be much of a constraint on this Administration. Nor are concerns about the laws circumscribing intelligence activities: Trump is a man who has complained that the C.I.A. isn’t allowed to torture people. The power of the President and his spies isn’t something that Trump seems to be interested in limiting—that is, as long as the President is named Trump.